Pass LaunchDarkly's REST API IP Allowlist With a Static IP

LaunchDarkly's IP allowlist can restrict REST API access to a fixed set of IP addresses. If your code calls the LaunchDarkly REST API from a cloud platform with dynamic egress IPs, those calls start failing the moment the allowlist is on. Route the calls through a static IP proxy and they exit from a fixed address every time.

LaunchDarkly's IP Allowlist Covers Browser Access and the REST API

The allowlist lives in Organization settings under Security. It has two independent toggles. The Browser allowlist controls which IP addresses can sign into the LaunchDarkly app in a browser. The API token allowlist controls which IP addresses can call the LaunchDarkly REST API. You can turn on either one or both.

The static IP problem applies to the API token allowlist. When it's on, REST API requests are accepted only from the IP addresses and CIDR ranges you've listed. A request from any other address is rejected. The allowlist accepts IPv4 addresses only.

This feature is available on select LaunchDarkly plans. Confirm it's enabled on your account before you configure anything on the QuotaGuard side.

QuotaGuard Static Gives You Two Fixed IPs to Allowlist

QuotaGuard Static is an HTTP/HTTPS/SOCKS5 proxy running on AWS. Every account is assigned two static IP addresses behind a load balancer. Those two IPs don't change. You add both to LaunchDarkly's API token allowlist, point your REST API client at the proxy, and every API call exits from one of those two addresses. Your two assigned IPs are shown in your QuotaGuard dashboard after sign-up.

One Environment Variable Routes Your REST API Calls Through the Proxy

Set the proxy URL as an environment variable. The value comes from your QuotaGuard dashboard.

QUOTAGUARDSTATIC_URL=http://username:password@proxy.quotaguard.com:9293

Any tool that honors the standard HTTPS_PROXY environment variable routes through the proxy with no code change. That covers curl, most language HTTP clients, and many CLIs.

export HTTPS_PROXY=$QUOTAGUARDSTATIC_URL
 
curl https://app.launchdarkly.com/api/v2/projects \
  -H "Authorization: YOUR_ACCESS_TOKEN" \
  -H "LD-API-Version: 20240415"

To set the proxy explicitly in code instead, pass it to your HTTP client. Here it is with Python's requests library.

import os
import requests
 
proxy = os.environ["QUOTAGUARDSTATIC_URL"]
 
response = requests.get(
    "https://app.launchdarkly.com/api/v2/projects",
    headers={
        "Authorization": os.environ["LAUNCHDARKLY_API_TOKEN"],
        "LD-API-Version": "20240415",
    },
    proxies={"https": proxy, "http": proxy},
)

LaunchDarkly authenticates the REST API with an Authorization header set to your access token. The LD-API-Version header is optional, but LaunchDarkly recommends setting it on every integration so a future API version change doesn't break your calls. Check LaunchDarkly's REST API reference for the current version string and the exact endpoints your integration uses.

Only Your REST API Calls Need the Static IP

LaunchDarkly SDKs don't use the REST API. They connect to LaunchDarkly's streaming and CDN endpoints, and those connections are not governed by the API token allowlist. You don't need to route SDK traffic through the proxy to satisfy the allowlist. Point only your REST API clients at QuotaGuard. That's the tooling that manages flags, environments, and account resources, such as CI/CD jobs, infrastructure-as-code runs, and backend services that call the management API. Your SDKs keep connecting as they already do.

The same applies to the LaunchDarkly Relay Proxy. It talks to LaunchDarkly's SDK endpoints, not the REST API allowlist, so it doesn't need the static IP for this purpose.

QuotaGuard Static Pricing Starts at $19/Month

Bandwidth is bundled. No per-GB overage fees. LaunchDarkly REST API traffic is low-volume for most teams, so the Starter plan at 10 GB per month covers the typical flag-management workload. Dedicated IPs are available on Enterprise and above. On lower tiers, your two assigned IPs are still static, but shared with other customers.

QuotaGuard Shield Pricing Starts at $29/Month

For standard LaunchDarkly REST API calls, Static is the right product. Use QuotaGuard Shield instead when the same egress path also carries regulated data like health records, payment information, or PII, or when your environment requires that no proxy ever decrypts traffic in transit. Shield uses SSL passthrough, so QuotaGuard does not decrypt your payload contents. It costs slightly more than Static at each tier.

All plans include a 3-day trial. Enterprise plans include a 7-day trial. Credit card required.

See the full pricing table at quotaguard.com/products/pricing.